[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd.conf question

To: lists@fips.de
Subject: Re: isakmpd.conf question
From: newsham@lava.net (Tim Newsham)
Date: Fri, 5 Jan 2001 22:17:05 -1000 (HST)
Cc: newsham@lava.net, tech@openbsd.org

> On 04/01/2001, Tim Newsham <newsham@lava.net> wrote To tech@openbsd.org:
> > How do two peers agree on the rekeying time?  Do they
> > tell eachother their lifetimes and then pick the common
> > minimum in the min-max range?  Or do they just verify

> Any value is proposed by the initiator. The receiver agrees
> [based on its config] or not.

Ok, this was non-obvious to me, so I thought I'd mention
it:

    Just because one IPSEC peer initiates the connection, it
    does not mean that same peer will initiate rekeying.

This confused me for a bit.  My openbsd box is initiating
ISAKMP negotiations and hence performs the first phase-2
keying, and sets the timeout, but my peer (altiga) is initiating
the rekeying before the openbsd box tries to, and hence every
subsequent rekeying interval is being determined by the
altiga device.

                                   Tim N.

[PS: thanks to those who responded]

References:
- Re: isakmpd.conf question
  - From: Philipp Buehler <lists@fips.de>

Prev by Date: No Subject
Next by Date: Re: Firewall rule set
Prev by thread: Re: isakmpd.conf question
Next by thread: No Subject
Index(es):
- Date
- Thread